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1. INTRODUCTION 

Nowadays, the Internet has become an integral part of our daily lives. It makes communication 
easier. The internet of things (IoT) is becoming more widely used both in everyday life and in the industry. 
IoT devices are small and able to communicate with each other without requiring a human being during 
communication [1], [2]. It can apply to a variety of systems such as smart home, smart farm, smart factory, 
increasing IoT devices. It is predicted that by 2030, there would be 125 billion IoT devices connected to the 
internet [3]. This would likely put all such devices at risk of being used in DDoS attacks because IoT devices 
cannot support the complex security structure given it’s limited resources as in processors or backup 
memory, thus making these devices especially vulnerable. If this vulnerability is not fixed, there is a chance 
of it being attacked and compromised as IJoT devices for use in DDoS attacks [4], [5]. 

DDoS attacks have been around for a long time. The first occurred on July 22, 1999, when a 
computer at the University of Minnesota, containing a dangerous script named TrinO0, attacked 114 other 
computers [6], [7]. On October 21, 2016, Dyn, a DNS service provider, was attacked, causing Twitter, 
GitHub, Playstation Network, and other websites to be unavailable for a while. The IT security company said 
the attack linked to the Mirai IoT DDoS Botnet [8], [9], and on February 28, 2018, GitHub was hit by a 1.35 
Tbps DDoS attack with 126.9 million packages per second [10]. Aside from being unable to be of service 
after being attacked it can also cause financial damage. Kaspersky Lab reports estimated average damage to 
medium-sized businesses (SMBs) are $120K, and to large companies are $2 million per attack [11]. 
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Threats arising from the growing number of IoT devices and new DDoS attack techniques have 
resulted in the detection and blocking of attacks with deep learning (DL). DL is useful in finding 
relationships between the prominent features of the dataset that distinguish between "normal" and "abnormal" 
and can predict the likelihood if new attacks would occur in the future by learning from existing examples 
[12], [13]. Nowadays, DL is very popular due to its efficiency and non-linear multi-layer processing, 
including Python, with support libraries allowing us to create artificial neural networks more quickly than in 
the past [14]. 

Unal et al. presented DDoS attacks on the network with deep learning, using NSL-KDD datasets to 
show their IDS performance. The dataset consists of 23 different attacks with 41 features. They have 
reviewed the literature to reduce it to only 24 features related to DDoS attacks. The accuracy is 98.8% [15]. 
Diro and Chilamkurti, also presented a distributed attack detection in IoT with deep learning using the same 
dataset but using apache spark techniques to help train the modelling process and securing an accuracy of 96- 
99%. However, the dataset used is the old dataset and therefore it may not predict new attacks that could 
occur [16]. 

Doshi et al. used machine learning to detect DDoS in the IoT using data collected from real IoT 
devices. They simulated the Botnet attack environment using five algorithms to measure performance: KN, 
LSVM, DT, RF, NN. From the results, the neural network had 98.9% accuracy with the dataset they created 
[17]. 

In this research, we use the dataset of CICDDoS2019, which is the dataset of DDoS attack, and uses 
the classification algorithm of deep learning, learning from the dataset order to find a suitable neural network 
structure that can differentiate between standard data and attack data. Authors have organized this 
presentation into the following sections: Introduction - Research Method - Results and Discussion — 
Conclusion. 


1.1. Distributed denial-of-service attack 

DDoS attacks are caused by computer equipment or IoT devices infected with malware and trying to 
prevent online services from providing services to users usually by blocking or causing the server to stop 
service temporarily, DDoS is often used from a large number of occupied devices through the distribution of 
Botnet, which is different from DoS attacks with a single device connecting to the internet and flooding 
attacks to the target machine [18], [19]. 


1.2. Artificial neural network 

Artificial neural networks (ANNs) are a set of algorithms inspired by the biological structure of the 
human and animal brain. ANN consists of interconnected "units." In biology, these units are called a neurons. 
These neurons are processed and sent to another neuron, acting as a switch to turn on and off. The elements 
of the artificial neural network are quite simple, but the complexity and energy of this system is derived from 
the interaction between the various components. 

In the 50s, the first artificial neural network (ANN) was created to perform simple logical functions. 
AI can be used in algebra, geometry, language, and robotics. In recent years, access to a large amount of 
information is possible. The computing power and machine learning techniques (ML) are becoming 
increasingly useful in businesses, and especially in the advent of a graphics processing unit (GPU) that can be 
used to train models with large neural networks efficiently which we know of as deep neural networks 
(DNNs) [20]. 


1.3. Deep neural network (DNN) and long short-term memory (LSTM) 

A deep neural network is a network for multi-layered inference based on logistic regression models 
with two-dimensional input. All the neural networks consist of an input layer, an output layer, and one or 
many hidden layers. If there are many hidden layers, we will call them deep neural networks. LSTMs are 
caused by using RNNs to improve the vanishing gradient and exploding gradient problems by creating an 
architecture that can remember information for a long time. From the above structure, DNN and LSTM can 
correlate each data including the use of supervised learning techniques to assist in the training process, 
allowing DDoS to be detected more efficiently [21], [22]. 


2. RESEARCH METHOD 

The operation overview in Figure | shows the divided process in 5 steps. Starting with the first step, 
after we get the datasets, they are not immediately available. Therefore, we need to proceed to the next step. 
The second step is the data preparation process. We will do data cleaning, feature selection, and feature 
engineering to prepare the data for this step. Then we will split the datasets into three sets in the third step to 
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creating a set of training data, validation data and testing data for use in the training process. After that, we 
will go through the fourth step about designing a deep neural network structure. In this step of the process, 
the training data and validation data will be used. The tuning of the hyperparameters is done in conjunction 


with the validation process to determine the optimal structure. Once the structure is optimized for the 
datasets, the fifth step is to evaluate the designed models’ measurement using testing data to measure the 


results. 
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Figure 1. Operation overview 


2.1. Dataset 

In this paper, we use the CICDD0S2019 dataset of the “Developing Realistic Distributed Denial of 
Service (DDoS) Attack Dataset and Taxonomy” research. They have improved the existing dataset and have 
presented a new taxonomy for DDoS attacks, including bug fixes including new classification based on flows 
network. It also has features for detecting different types of DDoS attacks with a consistent weight [23]. 


2.2. Data preparation 

After the dataset has loaded it will not be able to work with deep learning at all, therefore it must go 
through the data preparation process first. 1) Data cleaning is to remove data that is not usable, such as empty 
data, and special characters. 2) Feature selection is selecting the relevant feature for DDoS attack detection. It 
can be chosen by using the Weka algorithm or reviewing literature from proper research in order to minimize 
the irrelevant attack detection features. 3) Feature engineering, is to transform the data into a form that deep 
learning can use in the training process. 


2.3. Dataset splitting 
After we have the dataset, the training model is usually divided into three parts: training data, 
validation data, and testing data. In the classification training process, we use the training dataset [24]. 


2.4. Deep neural network 

The first step is to define the structure of the deep neural network. It is the structure to use to learn 
data from the dataset we entered. It usually consists of three main layers: 1) The input layer is responsible for 
receiving data from the dataset. Typically, one node is equal to one dimension or the number of features 
contained in the dataset. 2) The hidden layer is the layer that receives data from the input layer. The data 
obtained is weighted. In this class, the number of nodes must be set appropriately in order to be able to learn 
complex information. 3) Output layer is the last layer that receives data from the previous layer. In this layer, 
the value is the number of probabilities, with the numbers being 0.00 to 1.00 only. 

In the second step, hyperparameter optimization is an enhancement that is related to the training 
model process for better results. The adjustment will consist of: 1) The learning rate affects the finding of the 
loss by having to find the most suitable value in order not to make the loss worse. 2) Batch size affects the 
accuracy of the model and it increases the time to train the model. If the adjustment is too small, it will take a 
long time to train. If the alignment is too large, it will use a lot of resources. 3) Epochs the number of cycles 
of the model trend. If the loss value continues to decrease, we can increase the number of rounds until it 
reaches a point where the loss value does not change. 4) Hidden layer, the more multiple layers, the more 
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accurate. Therefore, adjust the number of layers to suit our dataset. 5) Hidden units, the number of nodes in 
the hidden layer must be optimized, and there is enough to learn the complexity of the data. 6) Dropout is a 
technique that is used to drop connections between nodes randomly. It can be done during model training 
since some nodes may coincide and also helps to reduce overfitting occurrences [25]. 


2.5. Evaluation 

We can measure the effectiveness of the deep learning model that we will use to detect DDoS 
attacks by using indicators from the standard matrix as follows: 1) Accuracy is the model's overall accuracy. 
2) Precision is the probability that the model will predict the correct attack. 3) The recall is the probability 
that the model can detect attacks from the total number of attacks. 4) F-Measure or Fl-Score is a harmonic 
mean between precision and recall. The formulas for calculating values are in the bottom equation. 


Accuracy = (TP+TN)/(TP+TN+FP+FN) 

Precision = TP/(TP+FP) 

Recall = TP/(TP+FN) 

F-Measure = 2((Precision*Recall)/(Precision+Recall)) 


Where TP, TN, FP, and FN stand for true positives, true negatives, false positives, and false 
negatives, respectively. This step will help us find the best model for the dataset we choose to use, as well as 
how well the selected model will work in the future. 


3. RESULTS AND DISCUSSION 
3.1. Experimental settings and results 

In the testing process, the DDoS attack detection model tested using Python 3.6.9 and Keras 2.2.5 in 
the Google Colab environment: Intel Xeon CPU, 2.20GHz, 12.48GB memory with OS Ubuntu 18.04.3 LTS. 
The structure of deep learning as shown in Figures 2 and 3, designed to detect all three types of DDoS 
attacks: Syn Flood, UDP, and UDP-Lag. Dropout inserts to reduce overfitting during model training The 
comparison was also conducted between the DNN model and the LSTM model. The DNN and LSTM 
structures are designed for performance comparisons. The DNN structures consist of four dense layers and 
three dropout layers, as shown in Figure 2. The LSTM structure consists of one LSTM layer, three dense 
layers, and three dropout layers, as shown in Figure 3. We assign 20 nodes to the first layer in each structure, 
40 nodes and 60 nodes for the second and third layers, respectively. The layer is inserted with the dropout 
layer. 


input: (None, 23) input: (None, 1, 23) 
dense_1_input: InputLayer Istm_1_input: InputLayer = 
output: | (None, 23) output: | (None, 1, 23) 
Y y 
input: (None, 23) input: | (None, 1, 23) 
dense_1: Dense lsum_1: LSTM 
output: | (None, 20) output: (None, 20) 
input: | (None, 20) input: | (None, 20) 
dropout_1: Dropout dropout_1: Dropout 
output: | (None, 20) output: | (None, 20) 
Y 
input (None, 20) input: | (None, 20) 


dense_2: Dense dense_1: Dense 


output: | (None, 40) output: | (None, 40) 


input: (None, 40) input: (None, 40) 
dropout_2: Dropout dropout_2: Dropout 
output: | (None, 40) output: | (None, 40) 
y Y 
input: (None, 40) input: | (None, 40) 


dense_3: Dense 


dense_2: Dense 


output: | (None, 60) output: | (None, 60) 


input: (None, 60) input: (None, 60) 


dropout_3: Dropout dropout_3: Dropout 


output: | (None, 60) output: | (None, 60) 


y y 

input: | (None, 60) input: | (None, 60) 
dense_4: Dense dense_3: Dense 

output: | (None, 2) output: | (None, 2) 
Figure 2. DNN structure Figure 3. LSTM structure 
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As for the characteristics as shown in Figure 4, choose to use the attributes according to the research 
of the dataset due to the better detection performance compared to the experiments that we experimented 
with selecting the characteristics ourselves. The datasets that we choose to use are the Syn, UDP, and UDP- 
Lag attack datasets. Each dataset divided into Training data (60%), validation data (10%), and test data 
(10%), respectively, and we feed the training data into our deep network models. 


‘ Destination Port’ int64 
" Protocol’ int64 
‘ Flow Duration’ int64 
‘Total Length of Fwd Packets’ int64 
' Fwd Packet Length Max’ int64 
‘ Fwd Packet Length Min‘ int64 
" Fwd Packet Length Std' float64 
‘ Flow IAT Mean' float64 
‘ Plow IAT Max’ int64 
‘ Flow IAT Min’ int64 
‘Fwd IAT Total’ int64 
‘ Fwd IAT Mean’ float64 
' Fwd IAT Max' int64 
‘ Fwd Header Length’ int64 
‘Fwd Packets/s' float64 
‘ Min Packet Length’ int64 
‘ Max Packet Length’ int64 
‘ Packet Length Std‘ float64 
" ACK Flag Count’ int64 
" Average Packet Size’ float64 
‘ Subflow Fwd Bytes‘ int64 
Init_Win_bytes_ forward int64 
" min_seg size forward’ int64 
Class int64 


dtype: object 


Figure 4. Features selection [23] 


From Table 1, is to determine the hyperparameter and optimizer we use RAdam instead of Adam 
because it is more smooth in the training process by setting total_steps = 5,000, warmup_proportion = 0.1, 
min_Ir = 0.001, and set the number of Epochs as ten because after this model it can no longer reduce losses. 
The results of the DNN and LSTM tests achieved almost the same performance, but LSTM was able to 
capture Syn Flood, and UDP Flood attacks a little better. DNN detected slightly better UDP-Lag attacks. In 
the attack detection tests as shown in Tables 2 and 3, it can see that the DNN shows the FI score or F- 
Measure at .9995-.9997, and the accuracy is .9993-.9995. LSTM, the effectiveness of Fl-Score or F-Measure 
is .9994-.9998, and the accuracy is .9990-.9997 for all three types of DDoS classification. 


Table 1. Model parameters 


Variable Values 
Loss categorical_crossentropy 
Activation Relu 
Optimizer RAdam 
Epochs 10 
Batch size 64 


Table 2. The performance of DNN 


Accuracy Precision Recall F-Measure 
Syn 0.9995 0.9998 0.9997 0.9997 
UDP 0.9995 0.9995 1.0 0.9997 
UDP-Lag 0.9993 0.9994 0.9997 0.9995 


Table 3. The performance of LSTM 


Accuracy Precision Recall F-Measure 
Syn 0.9997 0.9998 0.9998 0.9998 
UDP 0.9996 0.9996 1.0 0.9998 
UDP-Lag 0.9990 0.9989 1.0 0.9994 
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4. CONCLUSION 

In this article, we propose deep learning based DDoS detection methods using the DNN and LSTM 
algorithms. We designed the deep neural network structure that is appropriate for the classification of attacks 
in the CICDDoS2019 dataset by the results of the three attack detection experiments. The types of Syn Flood, 
UDP Flood, and UDP-Lag can distinguish "normal" and "abnormal" data from each other, with an average 
accuracy of 99.90-99.97%. For future work, we plan to increase the variety of learning to compare with the 
DNN and LSTM algorithms, as well as to bring models to test with the rest of the attack types such as DNS, 
NetBIOS, SNMP, to compare the performance of the model. We can include different kinds of dataset 
attacks to increase the challenge of detecting attacks and using the model created for testing in the real world. 
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